<!--
Copyright 2004 - 2013 Wayne Grant
          2013 - 2017 Kai Kramer

This file is part of KeyStore Explorer.

KeyStore Explorer is free software: you can redistribute it and/or modify
it under the terms of the GNU General Public License as published by
the Free Software Foundation, either version 3 of the License, or
(at your option) any later version.

KeyStore Explorer is distributed in the hope that it will be useful,
but WITHOUT ANY WARRANTY; without even the implied warranty of
MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
GNU General Public License for more details.

You should have received a copy of the GNU General Public License
along with KeyStore Explorer.  If not, see <http://www.gnu.org/licenses/>.
-->
<html>
    <head>
        <title>About KeyStores</title>
        <link rel=stylesheet href="help.css" type="text/css">
    </head>

    <body>

        <h1>Specifications</h1>

        <hr>

        <h2>KeyStores</h2>

        KeyStore Explorer supports the management of the following KeyStore types:

        <br><br>

        <table border="1">
            <tr>
                <th>Type</th>
                <th>Description</th>
            </tr>
            <tr>
                <td>JKS</td>
                <td>Java KeyStore. Oracle's KeyStore format.</td>
            </tr>
            <tr>
                <td>JCEKS</td>
                <td>Java Cryptography Extension KeyStore. More secure version of JKS.</td>
            </tr>
            <tr>
                <td>PKCS #12</td>
                <td>Public-Key Cryptography Standards #12 KeyStore. RSA's KeyStore format.</td>
            </tr>
            <tr>
                <td>BKS</td>
                <td>Bouncy Castle KeyStore. Bouncy Castle's version of JKS.</td>
            </tr>
            <tr>
                <td>BKS-V1</td>
                <td>Older and incompatible version of Bouncy Castle KeyStore.</td>
            </tr>
            <tr>
                <td>UBER</td>
                <td>Bouncy Castle UBER KeyStore. More secure version of BKS.</td>
            </tr>
        </table>

        <h2>Key Pairs</h2>

        KeyStore Explorer supports DSA and RSA Key Pairs. It is capable of generating
        such Key Pairs with the following key sizes and signature algorithms:

        <br><br>

        <table border="1">
            <tr>
                <th>Key Pair Algorithm</th>
                <th>Key Size (bits)</th>
                <th>Signature Algorithm</th>
            </tr>
            <tr valign="top">
                <td rowspan="10">RSA</td>
                <td rowspan="10">512 - 16384</td>
                <td>MD2 with RSA</td>
            </tr>
            <tr>
                <td>MD5 with RSA</td>
            </tr>
            <tr>
                <td>RIPEMD-128 with RSA</td>
            </tr>
            <tr>
                <td>RIPEMD-160 with RSA</td>
            </tr>
            <tr>
                <td>RIPEMD-256 with RSA</td>
            </tr>
            <tr>
                <td>SHA-1 with RSA</td>
            </tr>
            <tr>
                <td>SHA-224 with RSA</td>
            </tr>
            <tr>
                <td>SHA-256 with RSA</td>
            </tr>
            <tr>
                <td>SHA-384 with RSA *</td>
            </tr>
            <tr>
                <td>SHA-512 with RSA **</td>
            </tr>
            <tr valign="top">
                <td rowspan="5">DSA</td>
                <td rowspan="5">512 - 1024</td>
                <td>SHA-1 with DSA</td>
            </tr>
            <tr>
                <td>SHA-224 with DSA</td>
            </tr>
            <tr>
                <td>SHA-256 with DSA</td>
            </tr>
            <tr>
                <td>SHA-384 with DSA</td>
            </tr>
            <tr>
                <td>SHA-512 with DSA</td>
            </tr>
        </table>

    	<table border="1">
    		<tr>
    	        <th class="plain">Key Pair Algorithm</th>
    	        <th class="plain">Curve Set</th>
    	        <th class="plain">Curves ***</th>
    	    </tr>
    		<tr valign="middle">
    			<td class="plain_odd" rowspan="10" align="left" valign="top">EC</td>
    			<td class="plain_odd" align="left" valign="top">NIST</td>
    			<td class="plain_odd" align="left">B-163, B-233, B-283, B-409, B-571, K-163, K-233, K-283, K-409, K-571, P-192,
    				P-224, P-256, P-384, P-521
    			</td>
    		</tr>
    		<tr valign="middle">
    			<td class="plain_even" align="left" valign="top">SEC</td>
    			<td class="plain_even" align="left">secp112r1, secp112r2, secp128r1, secp128r2, secp160k1, secp160r1, secp160r2,
    				secp192k1, secp192r1, secp224k1, secp224r1, secp256k1, secp256r1, secp384r1, secp521r1, sect113r1, sect113r2,
    				sect131r1, sect131r2, sect163k1, sect163r1, sect163r2, sect193r1, sect193r2, sect233k1, sect233r1, sect239k1,
    				sect283k1, sect283r1, sect409k1, sect409r1, sect571k1, sect571r1</td>
    		</tr>
    		<tr valign="middle">
    			<td class="plain_odd" align="left" valign="top">ANSI X9.62</td>
    			<td class="plain_odd" align="left">prime192v1, prime192v2, prime192v3, prime239v1, prime239v2, prime239v3,
    				prime256v1, c2pnb163v1, c2pnb163v2, c2pnb163v3, c2pnb176w1, c2tnb191v1, c2tnb191v2, c2tnb191v3, c2tnb239v1,
    				c2tnb239v2, c2tnb239v3, c2tnb359v1, c2tnb431r1, c2pnb208w1, c2pnb272w1, c2pnb304w1, c2pnb368w1</td>
    		</tr>
    		<tr valign="middle">
    			<td class="plain_odd" align="left" valign="top">Brainpool</td>
    			<td class="plain_odd" align="left">brainpoolP160r1, brainpoolP160t1, brainpoolP192r1, brainpoolP192t1,
    				brainpoolP224r1, brainpoolP224t1, brainpoolP256r1, brainpoolP256t1, brainpoolP320r1, brainpoolP320t1,
    				brainpoolP384r1, brainpoolP384t1, brainpoolP512r1, brainpoolP512t1
    			</td>
    		</tr>
    	</table>

        <br>
        * - Requires an RSA key size of at least 624 bits
        <br>
        ** - Requires an RSA key size of at least 752 bits
        <br>
	    *** - Availability of curves depends on the keystore type.

        <h2>Certificates and CRLs</h2>

        KeyStore Explorer supports Version 1 and Version 3 X.509 certificates as well as
        CRLs. In addition for Version 3 Certificates and CRLs it supports the
        display of a wide range of extensions.

        <h2>Certificate Signing Requests (CSR)</h2>

        KeyStore Explorer supports the generation and signing of the following CSR types:

        <br><br>

        <table border="1">
            <tr>
                <th>Type</th>
                <th>Description</th>
            </tr>
            <tr>
                <td>PKCS #10</td>
                <td>Public-Key Cryptography Standards #10 CSR, RSA's CSR format.</td>
            </tr>
            <tr>
                <td>SPKAC</td>
                <td>Signed Public Key and Challenge (SPKAC), Netscape's CSR format.</td>
            </tr>
        </table>

        <h2>X.509 Extensions</h2>

        KeyStore Explorer supports the display of the full set of extensions
        specified in RFC 3280 (Certificate and CRL Profile) and the
        Netscape Certificate Extensions among others. In addition most of
        the certificate extensions are available for addition to generated
        certificates and signed CSRs.

        <br><br>

        <table border="1">
            <tr>
                <th>Extension Name</th>
                <th>Extension OID</th>
                <th>View</th>
                <th>Add to Certificates / CSRs</th>
            </tr>
            <tr>
                <td>Entrust Version Information</td>
                <td>1.2.840.113533.7.65.0</td>
                <td align="center">X</td>
                <td align="center">&nbsp;</td>
            </tr>
            <tr>
                <td>Authority Information Access</td>
                <td>1.3.6.1.5.5.7.1.1</td>
                <td align="center">X</td>
                <td align="center">X</td>
            </tr>
            <tr>
                <td>Subject Information Access</td>
                <td>1.3.6.1.5.5.7.1.11</td>
                <td align="center">X</td>
                <td align="center">X</td>
            </tr>
            <tr>
                <td>Subject Directory Attributes</td>
                <td>2.5.29.9</td>
                <td align="center">X</td>
                <td align="center"></td>
            </tr>
            <tr>
                <td>Subject Key Identifier</td>
                <td>2.5.29.14</td>
                <td align="center">X</td>
                <td align="center">X</td>
            </tr>
            <tr>
                <td>Key Usage</td>
                <td>2.5.29.15</td>
                <td align="center">X</td>
                <td align="center">X</td>
            </tr>
            <tr>
                <td>Private Key Usage Period</td>
                <td>2.5.29.16</td>
                <td align="center">X</td>
                <td align="center">X</td>
            </tr>
            <tr>
                <td>Subject Alternative Name</td>
                <td>2.5.29.17</td>
                <td align="center">X</td>
                <td align="center">X</td>
            </tr>
            <tr>
                <td>Issuer Alternative Name</td>
                <td>2.5.29.18</td>
                <td align="center">X</td>
                <td align="center">X</td>
            <tr>
                <td>Basic Constraints</td>
                <td>2.5.29.19</td>
                <td align="center">X</td>
                <td align="center">X</td>
            </tr>
            <tr>
                <td>CRL Number</td>
                <td>2.5.29.20</td>
                <td align="center">X</td>
                <td align="center">N/A</td>
            </tr>
            <tr>
                <td>Reason Code</td>
                <td>2.5.29.21</td>
                <td align="center">X</td>
                <td align="center">N/A</td>
            </tr>
            <tr>
                <td>Hold Instruction Code</td>
                <td>2.5.29.23</td>
                <td align="center">X</td>
                <td align="center">N/A</td>
            <tr>
                <td>Invalidity Date</td>
                <td>2.5.29.24</td>
                <td align="center">X</td>
                <td align="center">N/A</td>
            <tr>
                <td>Delta CRL Indicator</td>
                <td>2.5.29.27</td>
                <td align="center">X</td>
                <td align="center">N/A</td>
            </tr>
            <tr>
                <td>Issuing Distribution Point</td>
                <td>2.5.29.28</td>
                <td align="center">X</td>
                <td align="center">N/A</td>
            </tr>
            <tr>
                <td>Certificate Issuer</td>
                <td>2.5.29.29</td>
                <td align="center">X</td>
                <td align="center">N/A</td>
            </tr>
            <tr>
                <td>Name Constraints</td>
                <td>2.5.29.30</td>
                <td align="center">X</td>
                <td align="center">X</td>
            </tr>
            <tr>
                <td>CRL Distribution Points</td>
                <td>2.5.29.31</td>
                <td align="center">X</td>
                <td align="center"></td>
            </tr>
            <tr>
                <td>Certificate Policies</td>
                <td>2.5.29.32</td>
                <td align="center">X</td>
                <td align="center">X</td>
            </tr>
            <tr>
                <td>Policy Mappings</td>
                <td>2.5.29.33</td>
                <td align="center">X</td>
                <td align="center">X</td>
            </tr>
            <tr>
                <td>Authority Key Identifier</td>
                <td>2.5.29.35</td>
                <td align="center">X</td>
                <td align="center">X</td>
            </tr>
            <tr>
                <td>Policy Constraints</td>
                <td>2.5.29.36</td>
                <td align="center">X</td>
                <td align="center">X</td>
            </tr>
            <tr>
                <td>Extended Key Usage</td>
                <td>2.5.29.37</td>
                <td align="center">X</td>
                <td align="center">X</td>
            </tr>
            <tr>
                <td>Freshest CRL</td>
                <td>2.5.29.46</td>
                <td align="center">X</td>
                <td align="center"></td>
            </tr>
            <tr>
                <td>Inhibit Any Policy</td>
                <td>2.5.29.54</td>
                <td align="center">X</td>
                <td align="center">X</td>
            </tr>
            <tr>
                <td>Netscape Certificate Type</td>
                <td>2.16.840.1.113730.1.1</td>
                <td align="center">X</td>
                <td align="center">X</td>
            </tr>
            <tr>
                <td>Netscape Base URL</td>
                <td>2.16.840.1.113730.1.2</td>
                <td align="center">X</td>
                <td align="center">X</td>
            </tr>
            <tr>
                <td>Netscape Revocation URL</td>
                <td>2.16.840.1.113730.1.3</td>
                <td align="center">X</td>
                <td align="center">X</td>
            </tr>
            <tr>
                <td>Netscape CA Revocation URL</td>
                <td>2.16.840.1.113730.1.4</td>
                <td align="center">X</td>
                <td align="center">X</td>
            </tr>
            <tr>
                <td>Netscape Certificate Renewal URL</td>
                <td>2.16.840.1.113730.1.7</td>
                <td align="center">X</td>
                <td align="center">X</td>
            </tr>
            <tr>
                <td>Netscape CA Policy URL</td>
                <td>2.16.840.1.113730.1.8</td>
                <td align="center">X</td>
                <td align="center">X</td>
            </tr>
            <tr>
                <td>Netscape SSL Server Name</td>
                <td>2.16.840.1.113730.1.12</td>
                <td align="center">X</td>
                <td align="center">X</td>
            </tr>
            <tr>
                <td>Netscape Comment</td>
                <td>2.16.840.1.113730.1.13</td>
                <td align="center">X</td>
                <td align="center">X</td>
            </tr>
        </table>

        <h2>Key Pair Import and Export</h2>

        KeyStore Explorer supports the following formats for the import and
        export of Key Pair entries.

        <br><br>

        <table border="1">
            <tr>
                <th>Format</th>
                <th>Private Part</th>
                <th>Public Part</th>
            </tr>
            <tr>
                <td>PKCS #12</td>
                <td align="center">X</td>
                <td align="center">X</td>
            </tr>
            <tr>
                <td>PKCS #8 (DER or PEM) *</td>
                <td align="center">X</td>
                <td align="center">&nbsp;</td>
            </tr>
            <tr>
                <td>PVK</td>
                <td align="center">X</td>
                <td align="center">&nbsp;</td>
            </tr>
            <tr>
                <td>OpenSSL (DER or PEM) **</td>
                <td align="center">X</td>
                <td align="center">X</td>
            </tr>
            <tr>
                <td>X.509 (DER or PEM)</td>
                <td align="center">&nbsp;</td>
                <td align="center">X</td>
            </tr>
            <tr>
                <td>PKCS #7 (DER or PEM)</td>
                <td align="center">&nbsp;</td>
                <td align="center">X</td>
            </tr>
            <tr>
                <td>PKI Path</td>
                <td align="center">&nbsp;</td>
                <td align="center">X</td>
            </tr>
            <tr>
                <td>SPC</td>
                <td align="center">&nbsp;</td>
                <td align="center">X</td>
            </tr>
        </table>

        <br>

        * - Where PKCS #8 is encrypted KeyStore Explorer supports the following
        PBE algorithms:

        <br><br>

        <table border="1">
            <tr>
                <th>PBE Algorithm</th>
            </tr>
            <tr>
                <td>SHA-1 and 40 bit RC4</td>
            </tr>
            <tr>
                <td>SHA-1 and 128 bit RC4</td>
            </tr>
            <tr>
                <td>SHA-1 and 2 key DESede</td>
            </tr>
            <tr>
                <td>SHA-1 and 3 key DESede</td>
            </tr>
            <tr>
                <td>SHA-1 and 40 bit RC2</td>
            </tr>
            <tr>
                <td>SHA-1 and 128 bit RC2</td>
            </tr>
        </table>

        <br>

        ** - Where the private part is encrypted KeyStore Explorer
        supports the following PBE algorithms:

        <br><br>

        <table border="1">
            <tr>
                <th>PBE Algorithm</th>
            </tr>
            <tr>
                <td>PBE with DES CBC</td>
            </tr>
            <tr>
                <td>PBE with DESede CBC</td>
            </tr>
            <tr>
                <td>PBE with 128 bit AES CBC</td>
            </tr>
            <tr>
                <td>PBE with 192 bit AES CBC</td>
            </tr>
            <tr>
                <td>PBE with 256 bit AES CBC</td>
            </tr>
        </table>

        <br>

        In addition, for the public part only export is supported.

        <h2>Trusted Certificate Import and Export</h2>

        KeyStore Explorer supports the following formats for the import and
        export of Trusted Certificate entries.

        <br><br>

        <table border="1">
            <tr>
                <th>Format</th>
            </tr>
            <tr>
                <td>X.509 (DER or PEM)</td>
            </tr>
            <tr>
                <td>PKCS #7 (DER or PEM)</td>
            </tr>
            <tr>
                <td>PKI Path</td>
            </tr>
            <tr>
                <td>SPC</td>
            </tr>
        </table>

        <h2>Public Key Export</h2>

        KeyStore Explorer can export the public keys of Key Pair and
        Trusted Certificate entries in OpenSSL (SubjectPublicKeyInfo) format.

        <h2>Digital Signatures</h2>

        KeyStore Explorer supports the digital signing of CSRs, JARs and MIDlets
        using the following signature algorithms:

        <br><br>

        <table border="1">
            <tr>
                <th>Signature Subject</th>
                <th>Signature Algorithms</th>
            </tr>
            <tr valign="top">
                <td rowspan="15">
                    CSR
                </td>
                <td>MD2 with RSA</td>
            </tr>
            <tr>
                <td>MD5 with RSA</td>
            </tr>
            <tr>
                <td>RIPEMD-128 with RSA</td>
            </tr>
            <tr>
                <td>RIPEMD-160 with RSA</td>
            </tr>
            <tr>
                <td>RIPEMD-256 with RSA</td>
            </tr>
            <tr>
                <td>SHA-1 with RSA</td>
            </tr>
            <tr>
                <td>SHA-224 with RSA</td>
            </tr>
            <tr>
                <td>SHA-256 with RSA</td>
            </tr>
            <tr>
                <td>SHA-384 with RSA *</td>
            </tr>
            <tr>
                <td>SHA-512 with RSA **</td>
            </tr>
            <tr>
                <td>SHA-1 with DSA</td>
            </tr>
            <tr>
                <td>SHA-224 with DSA</td>
            </tr>
            <tr>
                <td>SHA-256 with DSA</td>
            </tr>
            <tr>
                <td>SHA-384 with DSA</td>
            </tr>
            <tr>
                <td>SHA-512 with DSA</td>
            </tr>
            <tr valign="top">
                <td rowspan="4">JAR</td>
                <td>MD2 with RSA</td>
            </tr>
            <tr>
                <td>MD5 with RSA</td>
            </tr>
            <tr>
                <td>SHA-1 with RSA</td>
            </tr>
            <tr>
                <td>SHA-1 with DSA</td>
            </tr>
            <tr valign="top">
                <td>MIDlet</td>
                <td>SHA-1 with RSA</td>
            </tr>
        </table>

        <br>
        * - Requires a signing RSA key size of at least 624 bits
        <br>
        ** - Requires a signing RSA key size of at least 752 bits

        <hr>

        <center><small>Copyright 2004 - 2013 Wayne Grant, 2013 - 2017 Kai Kramer</small></center>

    </body>
</html>
